Debian 10264 Published by

The Debian project has released the first update for Debian GNU/Linux 12 Bookworm, which includes security updates and a few fixes for serious issues.



Updated Debian 12: 12.1 released

The Debian project is pleased to announce the first update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Debian_12

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

PackageReason
aideProperly handle creating the system user; fix child directory processing on equal match
autofsFix hang when using Kerberos-authenticated LDAP
ayatana-indicator-datetimeFix playing of custom alarm sounds
base-filesUpdate for the 12.1 point release
bepastyFix rendering of text uploads
boost1.81Add missing dependency on libboost-json1.81.0 to libboost-json1.81-dev
bupCorrectly restore POSIX ACLs
contextEnable socket in ConTeXt mtxrun
cpdb-libsFix a buffer overflow vulnerability [CVE-2023-34095]
cpp-httplibFix CRLF injection issue [CVE-2023-26130]
crowdsecFix default acquis.yaml to also include the journalctl datasource, limited to the ssh.service unit, making sure acquisition works even without the traditional auth.log file; make sure an invalid datasource doesn't make the engine error out
cupsSecurity fixes: use-after-free [CVE-2023-34241]; heap buffer overflow [CVE-2023-32324]
cvsConfigure full path to ssh
dbusNew upstream stable release; fix denial of service issue [CVE-2023-34969]; stop trying to take DPKG_ROOT into account, restoring copying of systemd's /etc/machine-id in preference to creating an entirely new machine ID
debian-installerIncrease Linux kernel ABI to 6.1.0-10; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
desktop-baseRemove emerald alternatives on package uninstallation
dh-pythonRe-introduce Breaks+Replaces on python2 needed to help apt in some upgrade scenarios
dkmsAdd Breaks against obsolete, incompatible *-dkms packages
dnfFix default DNF const PYTHON_INSTALL_DIR
dpdkNew upstream stable release
exim4Fix argument parsing for ${run } expansion; fix ${srs_encode ..} returning incorrect result every 1024 days
faiFix IP address lifetime
glibcFix a buffer overflow in gmon; fix a deadlock in getaddrinfo (__check_pf) with deferred cancellation; fix y2038 support in strftime on 32-bit architectures; fix corner case parsing of /etc/gshadow which can return bad pointers, causing segfaults in applications; fix a deadlock in system() when called concurrently from multiple threads; cdefs: limit definition of fortification macros to __FORTIFY_LEVEL > 0 to support old C90 compilers
gnome-control-centerNew upstream bugfix release
gnome-mapsNew upstream bugfix release
gnome-shellNew upstream bugfix release
gnome-softwareNew upstream release; memory leak fixes
gosaSilence PHP 8.2 deprecation warnings; fix missing template in default theme; fix table styling; fix use of debugLevel > 0
groongaFix documentation links
guestfs-toolsSecurity update [CVE-2022-2211]
indentRestore the ROUND_UP macro and adjust the initial buffer size
installation-guideEnable Indonesian translation
kanboardFix malicious injection of HTML tags into DOM [CVE-2023-32685]; fix parameter-based indirect object referencing leading to private file exposure [CVE-2023-33956]; fix missing access controls [CVE-2023-33968, CVE-2023-33970]; fix stored XSS in Task External Link functionality [CVE-2023-33969]
kf5-messagelibSearch also for subkeys
libmatekbdFix memory leaks
libnginx-mod-http-modsecurityBinary rebuild with pcre2
libreofficeNew upstream bugfix release
libreswanFix potential denial-of-service issue [CVE-2023-30570]
libxml2Fix NULL pointer dereference issue [CVE-2022-2309]
linuxNew upstream stable release; netfilter: nf_tables: do not ignore genmask when looking up chain by id [CVE-2023-31248], prevent OOB access in nft_byteorder_eval [CVE-2023-35001]
linux-signed-amd64New upstream stable release; netfilter: nf_tables: do not ignore genmask when looking up chain by id [CVE-2023-31248], prevent OOB access in nft_byteorder_eval [CVE-2023-35001]
linux-signed-arm64New upstream stable release; netfilter: nf_tables: do not ignore genmask when looking up chain by id [CVE-2023-31248], prevent OOB access in nft_byteorder_eval [CVE-2023-35001]
linux-signed-i386New upstream stable release; netfilter: nf_tables: do not ignore genmask when looking up chain by id [CVE-2023-31248], prevent OOB access in nft_byteorder_eval [CVE-2023-35001]
mailman3Drop redundant cron job; handle ordering of services when MariaDB is present
marcoShow correct window title when owned by superuser
mate-control-centerFix several memory leaks
mate-power-managerFix several memory leaks
mate-session-managerFix several memory leaks; allow clutter backends other than x11
multipath-toolsHide underlying paths from LVM; prevent initial service failure on new installations
mutterNew upstream bugfix release
network-manager-strongswanBuild editor component with GTK 4 support
nfdumpReturn success when starting; fix segfault in option parsing
nftablesFix regression in set listing format
node-openpgp-seek-bzipCorrect installation of files in seek-bzip package
node-tough-cookieFix prototype pollution issue [CVE-2023-26136]
node-undiciSecurity fixes: protect Host HTTP header from CLRF injection [CVE-2023-23936]; potential ReDoS on Headers.set and Headers.append [CVE-2023-24807]
node-webpackSecurity fix (cross-realm objects) [CVE-2023-28154]
nvidia-cuda-toolkitUpdate bundled openjdk-8-jre
nvidia-graphics-driversNew upstream stable release; security fixes [CVE-2023-25515 CVE-2023-25516]
nvidia-graphics-drivers-teslaNew upstream stable release; security fixes [CVE-2023-25515 CVE-2023-25516]
nvidia-graphics-drivers-tesla-470New upstream stable release; security fixes [CVE-2023-25515 CVE-2023-25516]
nvidia-modprobeNew upstream bugfix release
nvidia-open-gpu-kernel-modulesNew upstream stable release; security fixes [CVE-2023-25515 CVE-2023-25516]
nvidia-supportAdd Breaks against incompatible packages from bullseye
onionshareFix installation of desktop furniture
openvpnFix memory leak and dangling pointer (possible crash vector)
pacemakerFix regression in the resource scheduler
postfixNew upstream bugfix release; fix postfix set-permissions
proftpd-dfsgDo not enable inetd-style socket at installation
qemuNew upstream stable release; fix USB devices not being available to XEN HVM domUs; 9pfs: prevent opening special files [CVE-2023-2861]; fix reentrancy issues in the LSI controller [CVE-2023-0330]
request-tracker5Fix links to documentation
rime-cantoneseSort words and characters by frequency
rime-luna-pinyinInstall missing pinyin schema data
sambaNew upstream stable release; ensure manpages are generated during build; enable ability to store kerberos tickets in kernel keyring; fix build issues on armel and mipsel; fix windows logon/trust issues with 2023-07 windows updates
schleuder-cliSecurity fix (value escaping)
smarty4Fix arbitrary code execution issue [CVE-2023-28447]
spipVarious security issues; security fix (authentication data filtering)
sra-sdkFix installation of files in libngs-java
sudoFix event log format
systemdNew upstream bugfix release
tangFix race condition when creating/rotating keys [CVE-2023-1672]
texlive-binDisable socket in luatex by default [CVE-2023-32668]; make installable on i386
unixodbcAdd Breaks+Replaces against odbcinst1debian1
usb.idsUpdate included data
vmDisable byte compilation
vte2.91New upstream bugfix release
xerial-sqlite-jdbcUse a UUID for connection ID [CVE-2023-32697]
yajlMemory leak security fix; fix denial of service issue [CVE-2017-16516], integer overflow issue [CVE-2022-24795]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5423 thunderbird
DSA-5425 php8.2
DSA-5427 webkit2gtk
DSA-5428 chromium
DSA-5429 wireshark
DSA-5430 openjdk-17
DSA-5432 xmltooling
DSA-5433 libx11
DSA-5434 minidlna
DSA-5435 trafficserver
DSA-5436 hsqldb1.8.0
DSA-5437 hsqldb
DSA-5439 bind9
DSA-5440 chromium
DSA-5443 gst-plugins-base1.0
DSA-5444 gst-plugins-bad1.0
DSA-5445 gst-plugins-good1.0
DSA-5446 ghostscript
DSA-5447 mediawiki
DSA-5448 linux-signed-amd64
DSA-5448 linux-signed-arm64
DSA-5448 linux-signed-i386
DSA-5448 linux
DSA-5449 webkit2gtk
DSA-5450 firefox-esr
DSA-5451 thunderbird

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.